OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [CR] Do not include functions,depending on sequence<type> order as mandatory core functions.


Exclude <type>-first, <type>-rest, <type>-sequence-equal functions from the
core set.  Possibly leave them as non-mandatory functions.

Add <type>-set-equal function with semantics of unordered set equality. 
and <type>-subset functions ( second one is already in the latest version of
the appendix.)

Leave <type>-first-and-only  sequence to singleton conversion function.

XACML data model specification - PIP and virtual context - does not
guarantee any order for attributes, occuring multiple times in the context -
not even within the same rule at evaluation instance - nor to be immutable
in time.
For example: if writing a rule that restricts access to a resource, unless
its ID is "member-of" one of the "resourcesID" attribute, PIP may retrieve
the sequence from an external source, such as relational database, directory
or from XML document(s).
It is to be expected that the order of the sequence of such attributes is
not specified, and no sorting cretiria can be universally defined, and no
guarantee that the next retrieval will preserve the order is given.
It is not, and can not be, reliably specified what is the persistence model
of such ordered sequence of values, once it is retrieved and whether is not
Thus, any rule written with reliance on the order in the sequence, may
produce inconsistent results for the same logical state of the context, for
different evaluations, and even for the same evaluation, if done in
parallel.  This I consider the worst possible behavior for such a system.

Other reasoning:
There is no use case for type-rest() function suggested.
As an example - try to write a condition returning true if every element in
an arbitrary sequence of numbers is greater then 3.

(my solution is to define an extension function performing such comparison -
when it is needed)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC